[kernel] r19825 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Feb 18 23:26:08 UTC 2013
Author: dannf
Date: Mon Feb 18 23:26:08 2013
New Revision: 19825
Log:
ptrace: Fix race condition allowing kernel stack corruption (CVE-2013-0871)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Add-why-to-ptrace_stop.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Always-put-ptracee-into-appropriate-execution-state.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Clean-transitions-between-TASK_STOPPED-and-TRACED.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Kill-tracehook_notify_jctl.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Make-do_signal_stop-use-ptrace_stop-if-the-task-is-being-ptraced.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-collapse-ptrace_untrace-into-__ptrace_unlink.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-ensure-arch_ptrace-ptrace_request-can-never-race-with-SIGKILL.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-introduce-signal_wake_up_state-and-ptrace_signal_wake_up.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-ptrace_check_attach-should-not-do-STOPPED-TRACED.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-remove-silly-wait_trap-variable-from-ptrace-attach.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/signal-Fix-premature-completion-of-group-stop-when-interfered-by-ptrace.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/signal-Remove-superflous-try_to_freeze-loop-in-do_signal_stop.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/signal-Use-GROUP_STOP_PENDING-to-stop-once-for-a-single-group-stop.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/wake_up_process-should-be-never-used-to-wakeup-a-TASK_STOPPED-TRACED-tack.patch
dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze2
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Mon Feb 18 18:07:44 2013 (r19824)
+++ dists/squeeze-security/linux-2.6/debian/changelog Mon Feb 18 23:26:08 2013 (r19825)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.32-46squeeze2) UNRELEASED; urgency=high
+
+ * ptrace: Fix race condition allowing kernel stack corruption (CVE-2013-0871)
+
+ -- dann frazier <dannf at dannf.org> Mon, 18 Feb 2013 16:14:40 -0700
+
linux-2.6 (2.6.32-46squeeze1) stable-security; urgency=high
* kmod: make __request_module() killable (CVE-2012-4398)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Add-why-to-ptrace_stop.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Add-why-to-ptrace_stop.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,54 @@
+commit fe1bc6a0954611b806f9e158eb0817cf8ba21660
+Author: Tejun Heo <tj at kernel.org>
+Date: Wed Mar 23 10:37:00 2011 +0100
+
+ ptrace: Add @why to ptrace_stop()
+
+ To prepare for cleanup of the interaction between group stop and
+ ptrace, add @why to ptrace_stop(). Existing users are updated such
+ that there is no behavior change.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Acked-by: Roland McGrath <roland at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index a04db3b..4a238e1 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1612,7 +1612,7 @@ static int sigkill_pending(struct task_struct *tsk)
+ * If we actually decide not to stop at all because the tracer
+ * is gone, we keep current->exit_code unless clear_code.
+ */
+-static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info)
++static void ptrace_stop(int exit_code, int why, int clear_code, siginfo_t *info)
+ {
+ if (arch_ptrace_stop_needed(exit_code, info)) {
+ /*
+@@ -1648,7 +1648,7 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info)
+ spin_unlock_irq(¤t->sighand->siglock);
+ read_lock(&tasklist_lock);
+ if (may_ptrace_stop()) {
+- do_notify_parent_cldstop(current, CLD_TRAPPED);
++ do_notify_parent_cldstop(current, why);
+ /*
+ * Don't want to allow preemption here, because
+ * sys_ptrace() needs this task to be inactive.
+@@ -1707,7 +1707,7 @@ void ptrace_notify(int exit_code)
+
+ /* Let the debugger run. */
+ spin_lock_irq(¤t->sighand->siglock);
+- ptrace_stop(exit_code, 1, &info);
++ ptrace_stop(exit_code, CLD_TRAPPED, 1, &info);
+ spin_unlock_irq(¤t->sighand->siglock);
+ }
+
+@@ -1791,7 +1791,7 @@ static int ptrace_signal(int signr, siginfo_t *info,
+ ptrace_signal_deliver(regs, cookie);
+
+ /* Let the debugger run. */
+- ptrace_stop(signr, 0, info);
++ ptrace_stop(signr, CLD_TRAPPED, 0, info);
+
+ /* We're back. Did the debugger cancel the sig? */
+ signr = current->exit_code;
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Always-put-ptracee-into-appropriate-execution-state.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Always-put-ptracee-into-appropriate-execution-state.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,142 @@
+commit 0e9f0a4abfd80f8adca624538d479d95159b16d8
+Author: Tejun Heo <tj at kernel.org>
+Date: Wed Mar 23 10:37:01 2011 +0100
+
+ ptrace: Always put ptracee into appropriate execution state
+
+ Currently, __ptrace_unlink() wakes up the tracee iff it's in
+ TASK_TRACED. For unlinking from PTRACE_DETACH, this is correct as the
+ tracee is guaranteed to be in TASK_TRACED or dead; however, unlinking
+ also happens when the ptracer exits and in this case the ptracee can
+ be in any state and ptrace might be left running even if the group it
+ belongs to is stopped.
+
+ This patch updates __ptrace_unlink() such that GROUP_STOP_PENDING is
+ reinstated regardless of the ptracee's current state as long as it's
+ alive and makes sure that signal_wake_up() is called if execution
+ state transition is necessary.
+
+ Test case follows.
+
+ #include <unistd.h>
+ #include <time.h>
+ #include <sys/types.h>
+ #include <sys/ptrace.h>
+ #include <sys/wait.h>
+
+ static const struct timespec ts1s = { .tv_sec = 1 };
+
+ int main(void)
+ {
+ pid_t tracee;
+ siginfo_t si;
+
+ tracee = fork();
+ if (tracee == 0) {
+ while (1) {
+ nanosleep(&ts1s, NULL);
+ write(1, ".", 1);
+ }
+ }
+
+ ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
+ waitid(P_PID, tracee, &si, WSTOPPED);
+ ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
+ waitid(P_PID, tracee, &si, WSTOPPED);
+ ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
+ write(1, "exiting", 7);
+ return 0;
+ }
+
+ Before the patch, after the parent process exits, the child is left
+ running and prints out "." every second.
+
+ exiting..... (continues)
+
+ After the patch, the group stop initiated by the implied SIGSTOP from
+ PTRACE_ATTACH is re-established when the parent exits.
+
+ exiting
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Reported-by: Oleg Nesterov <oleg at redhat.com>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 3a1b800..c17536a 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -41,7 +41,26 @@ void __ptrace_link(struct task_struct *child, struct task_struct *new_parent)
+ * __ptrace_unlink - unlink ptracee and restore its execution state
+ * @child: ptracee to be unlinked
+ *
+- * Remove @child from the ptrace list, move it back to the original parent.
++ * Remove @child from the ptrace list, move it back to the original parent,
++ * and restore the execution state so that it conforms to the group stop
++ * state.
++ *
++ * Unlinking can happen via two paths - explicit PTRACE_DETACH or ptracer
++ * exiting. For PTRACE_DETACH, unless the ptracee has been killed between
++ * ptrace_check_attach() and here, it's guaranteed to be in TASK_TRACED.
++ * If the ptracer is exiting, the ptracee can be in any state.
++ *
++ * After detach, the ptracee should be in a state which conforms to the
++ * group stop. If the group is stopped or in the process of stopping, the
++ * ptracee should be put into TASK_STOPPED; otherwise, it should be woken
++ * up from TASK_TRACED.
++ *
++ * If the ptracee is in TASK_TRACED and needs to be moved to TASK_STOPPED,
++ * it goes through TRACED -> RUNNING -> STOPPED transition which is similar
++ * to but in the opposite direction of what happens while attaching to a
++ * stopped task. However, in this direction, the intermediate RUNNING
++ * state is not hidden even from the current ptracer and if it immediately
++ * re-attaches and performs a WNOHANG wait(2), it may fail.
+ *
+ * CONTEXT:
+ * write_lock_irq(tasklist_lock)
+@@ -56,25 +75,25 @@ void __ptrace_unlink(struct task_struct *child)
+
+ spin_lock(&child->sighand->siglock);
+ arch_ptrace_untrace(child);
+- if (task_is_traced(child)) {
+- /*
+- * If group stop is completed or in progress, it should
+- * participate in the group stop. Set GROUP_STOP_PENDING
+- * before kicking it.
+- *
+- * This involves TRACED -> RUNNING -> STOPPED transition
+- * which is similar to but in the opposite direction of
+- * what happens while attaching to a stopped task.
+- * However, in this direction, the intermediate RUNNING
+- * state is not hidden even from the current ptracer and if
+- * it immediately re-attaches and performs a WNOHANG
+- * wait(2), it may fail.
+- */
+- if (child->signal->flags & SIGNAL_STOP_STOPPED ||
+- child->signal->group_stop_count)
+- child->group_stop |= GROUP_STOP_PENDING;
+- signal_wake_up(child, 1);
+- }
++
++ /*
++ * Reinstate GROUP_STOP_PENDING if group stop is in effect and
++ * @child isn't dead.
++ */
++ if (!(child->flags & PF_EXITING) &&
++ (child->signal->flags & SIGNAL_STOP_STOPPED ||
++ child->signal->group_stop_count))
++ child->group_stop |= GROUP_STOP_PENDING;
++
++ /*
++ * If transition to TASK_STOPPED is pending or in TASK_TRACED, kick
++ * @child in the butt. Note that @resume should be used iff @child
++ * is in TASK_TRACED; otherwise, we might unduly disrupt
++ * TASK_KILLABLE sleeps.
++ */
++ if (child->group_stop & GROUP_STOP_PENDING || task_is_traced(child))
++ signal_wake_up(child, task_is_traced(child));
++
+ spin_unlock(&child->sighand->siglock);
+ }
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Clean-transitions-between-TASK_STOPPED-and-TRACED.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Clean-transitions-between-TASK_STOPPED-and-TRACED.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,309 @@
+commit d79fdd6d96f46fabb779d86332e3677c6f5c2a4f
+Author: Tejun Heo <tj at kernel.org>
+Date: Wed Mar 23 10:37:00 2011 +0100
+
+ ptrace: Clean transitions between TASK_STOPPED and TRACED
+
+ Currently, if the task is STOPPED on ptrace attach, it's left alone
+ and the state is silently changed to TRACED on the next ptrace call.
+ The behavior breaks the assumption that arch_ptrace_stop() is called
+ before any task is poked by ptrace and is ugly in that a task
+ manipulates the state of another task directly.
+
+ With GROUP_STOP_PENDING, the transitions between TASK_STOPPED and
+ TRACED can be made clean. The tracer can use the flag to tell the
+ tracee to retry stop on attach and detach. On retry, the tracee will
+ enter the desired state in the correct way. The lower 16bits of
+ task->group_stop is used to remember the signal number which caused
+ the last group stop. This is used while retrying for ptrace attach as
+ the original group_exit_code could have been consumed with wait(2) by
+ then.
+
+ As the real parent may wait(2) and consume the group_exit_code
+ anytime, the group_exit_code needs to be saved separately so that it
+ can be used when switching from regular sleep to ptrace_stop(). This
+ is recorded in the lower 16bits of task->group_stop.
+
+ If a task is already stopped and there's no intervening SIGCONT, a
+ ptrace request immediately following a successful PTRACE_ATTACH should
+ always succeed even if the tracer doesn't wait(2) for attach
+ completion; however, with this change, the tracee might still be
+ TASK_RUNNING trying to enter TASK_TRACED which would cause the
+ following request to fail with -ESRCH.
+
+ This intermediate state is hidden from the ptracer by setting
+ GROUP_STOP_TRAPPING on attach and making ptrace_check_attach() wait
+ for it to clear on its signal->wait_chldexit. Completing the
+ transition or getting killed clears TRAPPING and wakes up the tracer.
+
+ Note that the STOPPED -> RUNNING -> TRACED transition is still visible
+ to other threads which are in the same group as the ptracer and the
+ reverse transition is visible to all. Please read the comments for
+ details.
+
+ Oleg:
+
+ * Spotted a race condition where a task may retry group stop without
+ proper bookkeeping. Fixed by redoing bookkeeping on retry.
+
+ * Spotted that the transition is visible to userland in several
+ different ways. Most are fixed with GROUP_STOP_TRAPPING. Unhandled
+ corner case is documented.
+
+ * Pointed out not setting GROUP_STOP_SIGMASK on an already stopped
+ task would result in more consistent behavior.
+
+ * Pointed out that calling ptrace_stop() from do_signal_stop() in
+ TASK_STOPPED can race with group stop start logic and then confuse
+ the TRAPPING wait in ptrace_check_attach(). ptrace_stop() is now
+ called with TASK_RUNNING.
+
+ * Suggested using signal->wait_chldexit instead of bit wait.
+
+ * Spotted a race condition between TRACED transition and clearing of
+ TRAPPING.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ Cc: Roland McGrath <roland at redhat.com>
+ Cc: Jan Kratochvil <jan.kratochvil at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index 7539fbe..0ed8f30 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1845,8 +1845,10 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *
+ /*
+ * task->group_stop flags
+ */
++#define GROUP_STOP_SIGMASK 0xffff /* signr of the last group stop */
+ #define GROUP_STOP_PENDING (1 << 16) /* task should stop for group stop */
+ #define GROUP_STOP_CONSUME (1 << 17) /* consume group stop count */
++#define GROUP_STOP_TRAPPING (1 << 18) /* switching from STOPPED to TRACED */
+
+ extern void task_clear_group_stop_pending(struct task_struct *task);
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index b24ccb3..3a1b800 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -58,14 +58,22 @@ void __ptrace_unlink(struct task_struct *child)
+ arch_ptrace_untrace(child);
+ if (task_is_traced(child)) {
+ /*
+- * If the group stop is completed or in progress,
+- * this thread was already counted as stopped.
++ * If group stop is completed or in progress, it should
++ * participate in the group stop. Set GROUP_STOP_PENDING
++ * before kicking it.
++ *
++ * This involves TRACED -> RUNNING -> STOPPED transition
++ * which is similar to but in the opposite direction of
++ * what happens while attaching to a stopped task.
++ * However, in this direction, the intermediate RUNNING
++ * state is not hidden even from the current ptracer and if
++ * it immediately re-attaches and performs a WNOHANG
++ * wait(2), it may fail.
+ */
+ if (child->signal->flags & SIGNAL_STOP_STOPPED ||
+ child->signal->group_stop_count)
+- __set_task_state(child, TASK_STOPPED);
+- else
+- signal_wake_up(child, 1);
++ child->group_stop |= GROUP_STOP_PENDING;
++ signal_wake_up(child, 1);
+ }
+ spin_unlock(&child->sighand->siglock);
+ }
+@@ -156,6 +164,7 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode)
+
+ int ptrace_attach(struct task_struct *task)
+ {
++ bool wait_trap = false;
+ int retval;
+
+ audit_ptrace(task);
+@@ -195,12 +204,42 @@ int ptrace_attach(struct task_struct *task)
+ __ptrace_link(task, current);
+ send_sig_info(SIGSTOP, SEND_SIG_FORCED, task);
+
++ spin_lock(&task->sighand->siglock);
++
++ /*
++ * If the task is already STOPPED, set GROUP_STOP_PENDING and
++ * TRAPPING, and kick it so that it transits to TRACED. TRAPPING
++ * will be cleared if the child completes the transition or any
++ * event which clears the group stop states happens. We'll wait
++ * for the transition to complete before returning from this
++ * function.
++ *
++ * This hides STOPPED -> RUNNING -> TRACED transition from the
++ * attaching thread but a different thread in the same group can
++ * still observe the transient RUNNING state. IOW, if another
++ * thread's WNOHANG wait(2) on the stopped tracee races against
++ * ATTACH, the wait(2) may fail due to the transient RUNNING.
++ *
++ * The following task_is_stopped() test is safe as both transitions
++ * in and out of STOPPED are protected by siglock.
++ */
++ if (task_is_stopped(task)) {
++ task->group_stop |= GROUP_STOP_PENDING | GROUP_STOP_TRAPPING;
++ signal_wake_up(task, 1);
++ wait_trap = true;
++ }
++
++ spin_unlock(&task->sighand->siglock);
++
+ retval = 0;
+ unlock_tasklist:
+ write_unlock_irq(&tasklist_lock);
+ unlock_creds:
+ mutex_unlock(&task->cred_guard_mutex);
+ out:
++ if (wait_trap)
++ wait_event(current->signal->wait_chldexit,
++ !(task->group_stop & GROUP_STOP_TRAPPING));
+ return retval;
+ }
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 7cc7efe..ea848c4 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -189,6 +189,26 @@ int next_signal(struct sigpending *pending, sigset_t *mask)
+ }
+
+ /**
++ * task_clear_group_stop_trapping - clear group stop trapping bit
++ * @task: target task
++ *
++ * If GROUP_STOP_TRAPPING is set, a ptracer is waiting for us. Clear it
++ * and wake up the ptracer. Note that we don't need any further locking.
++ * @task->siglock guarantees that @task->parent points to the ptracer.
++ *
++ * CONTEXT:
++ * Must be called with @task->sighand->siglock held.
++ */
++static void task_clear_group_stop_trapping(struct task_struct *task)
++{
++ if (unlikely(task->group_stop & GROUP_STOP_TRAPPING)) {
++ task->group_stop &= ~GROUP_STOP_TRAPPING;
++ __wake_up_sync(&task->parent->signal->wait_chldexit,
++ TASK_UNINTERRUPTIBLE, 1);
++ }
++}
++
++/**
+ * task_clear_group_stop_pending - clear pending group stop
+ * @task: target task
+ *
+@@ -1643,8 +1663,20 @@ static void ptrace_stop(int exit_code, int why, int clear_code, siginfo_t *info)
+ current->last_siginfo = info;
+ current->exit_code = exit_code;
+
+- /* Let the debugger run. */
+- __set_current_state(TASK_TRACED);
++ /*
++ * TRACED should be visible before TRAPPING is cleared; otherwise,
++ * the tracer might fail do_wait().
++ */
++ set_current_state(TASK_TRACED);
++
++ /*
++ * We're committing to trapping. Clearing GROUP_STOP_TRAPPING and
++ * transition to TASK_TRACED should be atomic with respect to
++ * siglock. This hsould be done after the arch hook as siglock is
++ * released and regrabbed across it.
++ */
++ task_clear_group_stop_trapping(current);
++
+ spin_unlock_irq(¤t->sighand->siglock);
+ read_lock(&tasklist_lock);
+ if (may_ptrace_stop()) {
+@@ -1725,6 +1757,9 @@ static int do_signal_stop(int signr)
+ unsigned int gstop = GROUP_STOP_PENDING | GROUP_STOP_CONSUME;
+ struct task_struct *t;
+
++ /* signr will be recorded in task->group_stop for retries */
++ WARN_ON_ONCE(signr & ~GROUP_STOP_SIGMASK);
++
+ if (!likely(sig->flags & SIGNAL_STOP_DEQUEUED) ||
+ unlikely(signal_group_exit(sig)))
+ return 0;
+@@ -1734,25 +1769,27 @@ static int do_signal_stop(int signr)
+ */
+ sig->group_exit_code = signr;
+
+- current->group_stop = gstop;
++ current->group_stop &= ~GROUP_STOP_SIGMASK;
++ current->group_stop |= signr | gstop;
+ sig->group_stop_count = 1;
+- for (t = next_thread(current); t != current; t = next_thread(t))
++ for (t = next_thread(current); t != current;
++ t = next_thread(t)) {
++ t->group_stop &= ~GROUP_STOP_SIGMASK;
+ /*
+ * Setting state to TASK_STOPPED for a group
+ * stop is always done with the siglock held,
+ * so this check has no races.
+ */
+ if (!(t->flags & PF_EXITING) && !task_is_stopped(t)) {
+- t->group_stop = gstop;
++ t->group_stop |= signr | gstop;
+ sig->group_stop_count++;
+ signal_wake_up(t, 0);
+- } else
++ } else {
+ task_clear_group_stop_pending(t);
++ }
++ }
+ }
+-
+- current->exit_code = sig->group_exit_code;
+- __set_current_state(TASK_STOPPED);
+-
++retry:
+ if (likely(!task_ptrace(current))) {
+ int notify = 0;
+
+@@ -1764,6 +1801,7 @@ static int do_signal_stop(int signr)
+ if (task_participate_group_stop(current))
+ notify = CLD_STOPPED;
+
++ __set_current_state(TASK_STOPPED);
+ spin_unlock_irq(¤t->sighand->siglock);
+
+ if (notify) {
+@@ -1776,13 +1814,28 @@ static int do_signal_stop(int signr)
+ schedule();
+
+ spin_lock_irq(¤t->sighand->siglock);
+- } else
+- ptrace_stop(current->exit_code, CLD_STOPPED, 0, NULL);
++ } else {
++ ptrace_stop(current->group_stop & GROUP_STOP_SIGMASK,
++ CLD_STOPPED, 0, NULL);
++ current->exit_code = 0;
++ }
++
++ /*
++ * GROUP_STOP_PENDING could be set if another group stop has
++ * started since being woken up or ptrace wants us to transit
++ * between TASK_STOPPED and TRACED. Retry group stop.
++ */
++ if (current->group_stop & GROUP_STOP_PENDING) {
++ WARN_ON_ONCE(!(current->group_stop & GROUP_STOP_SIGMASK));
++ goto retry;
++ }
++
++ /* PTRACE_ATTACH might have raced with task killing, clear trapping */
++ task_clear_group_stop_trapping(current);
+
+ spin_unlock_irq(¤t->sighand->siglock);
+
+ tracehook_finish_jctl();
+- current->exit_code = 0;
+
+ return 1;
+ }
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Kill-tracehook_notify_jctl.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Kill-tracehook_notify_jctl.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,131 @@
+commit edf2ed153bcae52de70db00a98b0e81a5668e563
+Author: Tejun Heo <tj at kernel.org>
+Date: Wed Mar 23 10:37:00 2011 +0100
+
+ ptrace: Kill tracehook_notify_jctl()
+
+ tracehook_notify_jctl() aids in determining whether and what to report
+ to the parent when a task is stopped or continued. The function also
+ adds an extra requirement that siglock may be released across it,
+ which is currently unused and quite difficult to satisfy in
+ well-defined manner.
+
+ As job control and the notifications are about to receive major
+ overhaul, remove the tracehook and open code it. If ever necessary,
+ let's factor it out after the overhaul.
+
+ * Oleg spotted incorrect CLD_CONTINUED/STOPPED selection when ptraced.
+ Fixed.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Cc: Oleg Nesterov <oleg at redhat.com>
+ Cc: Roland McGrath <roland at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h
+index 1eb44a9..782217a 100644
+--- a/include/linux/tracehook.h
++++ b/include/linux/tracehook.h
+@@ -462,33 +462,6 @@ static inline int tracehook_get_signal(struct task_struct *task,
+ }
+
+ /**
+- * tracehook_notify_jctl - report about job control stop/continue
+- * @notify: zero, %CLD_STOPPED or %CLD_CONTINUED
+- * @why: %CLD_STOPPED or %CLD_CONTINUED
+- *
+- * This is called when we might call do_notify_parent_cldstop().
+- *
+- * @notify is zero if we would not ordinarily send a %SIGCHLD,
+- * or is the %CLD_STOPPED or %CLD_CONTINUED .si_code for %SIGCHLD.
+- *
+- * @why is %CLD_STOPPED when about to stop for job control;
+- * we are already in %TASK_STOPPED state, about to call schedule().
+- * It might also be that we have just exited (check %PF_EXITING),
+- * but need to report that a group-wide stop is complete.
+- *
+- * @why is %CLD_CONTINUED when waking up after job control stop and
+- * ready to make a delayed @notify report.
+- *
+- * Return the %CLD_* value for %SIGCHLD, or zero to generate no signal.
+- *
+- * Called with the siglock held.
+- */
+-static inline int tracehook_notify_jctl(int notify, int why)
+-{
+- return notify ?: (current->ptrace & PT_PTRACED) ? why : 0;
+-}
+-
+-/**
+ * tracehook_finish_jctl - report about return from job control stop
+ *
+ * This is called by do_signal_stop() after wakeup.
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 2494827..bd8a241 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1667,7 +1667,7 @@ void ptrace_notify(int exit_code)
+ static int do_signal_stop(int signr)
+ {
+ struct signal_struct *sig = current->signal;
+- int notify;
++ int notify = 0;
+
+ if (!sig->group_stop_count) {
+ struct task_struct *t;
+@@ -1699,19 +1699,16 @@ static int do_signal_stop(int signr)
+ * a group stop in progress and we are the last to stop, report
+ * to the parent. When ptraced, every thread reports itself.
+ */
+- notify = sig->group_stop_count == 1 ? CLD_STOPPED : 0;
+- notify = tracehook_notify_jctl(notify, CLD_STOPPED);
+- /*
+- * tracehook_notify_jctl() can drop and reacquire siglock, so
+- * we keep ->group_stop_count != 0 before the call. If SIGCONT
+- * or SIGKILL comes in between ->group_stop_count == 0.
+- */
+- if (sig->group_stop_count) {
+- if (!--sig->group_stop_count)
+- sig->flags = SIGNAL_STOP_STOPPED;
+- current->exit_code = sig->group_exit_code;
+- __set_current_state(TASK_STOPPED);
++ if (!--sig->group_stop_count) {
++ sig->flags = SIGNAL_STOP_STOPPED;
++ notify = CLD_STOPPED;
+ }
++ if (task_ptrace(current))
++ notify = CLD_STOPPED;
++
++ current->exit_code = sig->group_exit_code;
++ __set_current_state(TASK_STOPPED);
++
+ spin_unlock_irq(¤t->sighand->siglock);
+
+ if (notify) {
+@@ -1797,14 +1794,11 @@ relock:
+ ? CLD_CONTINUED : CLD_STOPPED;
+ signal->flags &= ~SIGNAL_CLD_MASK;
+
+- why = tracehook_notify_jctl(why, CLD_CONTINUED);
+ spin_unlock_irq(&sighand->siglock);
+
+- if (why) {
+- read_lock(&tasklist_lock);
+- do_notify_parent_cldstop(current->group_leader, why);
+- read_unlock(&tasklist_lock);
+- }
++ read_lock(&tasklist_lock);
++ do_notify_parent_cldstop(current->group_leader, why);
++ read_unlock(&tasklist_lock);
+ goto relock;
+ }
+
+@@ -1969,7 +1963,7 @@ void exit_signals(struct task_struct *tsk)
+ if (unlikely(tsk->signal->group_stop_count) &&
+ !--tsk->signal->group_stop_count) {
+ tsk->signal->flags = SIGNAL_STOP_STOPPED;
+- group_stop = tracehook_notify_jctl(CLD_STOPPED, CLD_STOPPED);
++ group_stop = CLD_STOPPED;
+ }
+ out:
+ spin_unlock_irq(&tsk->sighand->siglock);
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Make-do_signal_stop-use-ptrace_stop-if-the-task-is-being-ptraced.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-Make-do_signal_stop-use-ptrace_stop-if-the-task-is-being-ptraced.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,108 @@
+commit 5224fa3660ad3881d2f2ad726d22614117963f10
+Author: Tejun Heo <tj at kernel.org>
+Date: Wed Mar 23 10:37:00 2011 +0100
+
+ ptrace: Make do_signal_stop() use ptrace_stop() if the task is being ptraced
+
+ A ptraced task would still stop at do_signal_stop() when it's stopping
+ for stop signals and do_signal_stop() behaves the same whether the
+ task is ptraced or not. However, in addition to stopping,
+ ptrace_stop() also does ptrace specific stuff like calling
+ architecture specific callbacks, so this behavior makes the code more
+ fragile and difficult to understand.
+
+ This patch makes do_signal_stop() test whether the task is ptraced and
+ use ptrace_stop() if so. This renders tracehook_notify_jctl() rather
+ pointless as the ptrace notification is now handled by ptrace_stop()
+ regardless of the return value from the tracehook. It probably is a
+ good idea to update it.
+
+ This doesn't solve the whole problem as tasks already in stopped state
+ would stay in the regular stop when ptrace attached. That part will
+ be handled by the next patch.
+
+ Oleg pointed out that this makes a userland-visible change. Before,
+ SIGCONT would be able to wake up a task in group stop even if the task
+ is ptraced if the tracer hasn't issued another ptrace command
+ afterwards (as the next ptrace commands transitions the state into
+ TASK_TRACED which ignores SIGCONT wakeups). With this and the next
+ patch, SIGCONT may race with the transition into TASK_TRACED and is
+ ignored if the tracee already entered TASK_TRACED.
+
+ Another userland visible change of this and the next patch is that the
+ ptracee's state would now be TASK_TRACED where it used to be
+ TASK_STOPPED, which is visible via fs/proc.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ Cc: Roland McGrath <roland at redhat.com>
+ Cc: Jan Kratochvil <jan.kratochvil at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index adc676d..7cc7efe 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1720,7 +1720,6 @@ void ptrace_notify(int exit_code)
+ static int do_signal_stop(int signr)
+ {
+ struct signal_struct *sig = current->signal;
+- int notify = 0;
+
+ if (!(current->group_stop & GROUP_STOP_PENDING)) {
+ unsigned int gstop = GROUP_STOP_PENDING | GROUP_STOP_CONSUME;
+@@ -1750,29 +1749,37 @@ static int do_signal_stop(int signr)
+ } else
+ task_clear_group_stop_pending(t);
+ }
+- /*
+- * If there are no other threads in the group, or if there is
+- * a group stop in progress and we are the last to stop, report
+- * to the parent. When ptraced, every thread reports itself.
+- */
+- if (task_participate_group_stop(current))
+- notify = CLD_STOPPED;
+- if (task_ptrace(current))
+- notify = CLD_STOPPED;
+
+ current->exit_code = sig->group_exit_code;
+ __set_current_state(TASK_STOPPED);
+
+- spin_unlock_irq(¤t->sighand->siglock);
++ if (likely(!task_ptrace(current))) {
++ int notify = 0;
+
+- if (notify) {
+- read_lock(&tasklist_lock);
+- do_notify_parent_cldstop(current, notify);
+- read_unlock(&tasklist_lock);
+- }
++ /*
++ * If there are no other threads in the group, or if there
++ * is a group stop in progress and we are the last to stop,
++ * report to the parent.
++ */
++ if (task_participate_group_stop(current))
++ notify = CLD_STOPPED;
+
+- /* Now we don't run again until woken by SIGCONT or SIGKILL */
+- schedule();
++ spin_unlock_irq(¤t->sighand->siglock);
++
++ if (notify) {
++ read_lock(&tasklist_lock);
++ do_notify_parent_cldstop(current, notify);
++ read_unlock(&tasklist_lock);
++ }
++
++ /* Now we don't run again until woken by SIGCONT or SIGKILL */
++ schedule();
++
++ spin_lock_irq(¤t->sighand->siglock);
++ } else
++ ptrace_stop(current->exit_code, CLD_STOPPED, 0, NULL);
++
++ spin_unlock_irq(¤t->sighand->siglock);
+
+ tracehook_finish_jctl();
+ current->exit_code = 0;
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-collapse-ptrace_untrace-into-__ptrace_unlink.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-collapse-ptrace_untrace-into-__ptrace_unlink.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,83 @@
+commit e3bd058f62896ec7a2c605ed62a0a811e9147947
+Author: Tejun Heo <tj at kernel.org>
+Date: Wed Mar 23 10:37:01 2011 +0100
+
+ ptrace: Collapse ptrace_untrace() into __ptrace_unlink()
+
+ Remove the extra task_is_traced() check in __ptrace_unlink() and
+ collapse ptrace_untrace() into __ptrace_unlink(). This is to prepare
+ for further changes.
+
+ While at it, drop the comment on top of ptrace_untrace() and convert
+ __ptrace_unlink() comment to docbook format. Detailed comment will be
+ added by the next patch.
+
+ This patch doesn't cause any visible behavior changes.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 05625f6..b24ccb3 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -37,16 +37,25 @@ void __ptrace_link(struct task_struct *child, struct task_struct *new_parent)
+ child->parent = new_parent;
+ }
+
+-/*
+- * Turn a tracing stop into a normal stop now, since with no tracer there
+- * would be no way to wake it up with SIGCONT or SIGKILL. If there was a
+- * signal sent that would resume the child, but didn't because it was in
+- * TASK_TRACED, resume it now.
+- * Requires that irqs be disabled.
++/**
++ * __ptrace_unlink - unlink ptracee and restore its execution state
++ * @child: ptracee to be unlinked
++ *
++ * Remove @child from the ptrace list, move it back to the original parent.
++ *
++ * CONTEXT:
++ * write_lock_irq(tasklist_lock)
+ */
+-static void ptrace_untrace(struct task_struct *child)
++void __ptrace_unlink(struct task_struct *child)
+ {
++ BUG_ON(!child->ptrace);
++
++ child->ptrace = 0;
++ child->parent = child->real_parent;
++ list_del_init(&child->ptrace_entry);
++
+ spin_lock(&child->sighand->siglock);
++ arch_ptrace_untrace(child);
+ if (task_is_traced(child)) {
+ /*
+ * If the group stop is completed or in progress,
+@@ -62,25 +71,6 @@ static void ptrace_untrace(struct task_struct *child)
+ }
+
+ /*
+- * unptrace a task: move it back to its original parent and
+- * remove it from the ptrace list.
+- *
+- * Must be called with the tasklist lock write-held.
+- */
+-void __ptrace_unlink(struct task_struct *child)
+-{
+- BUG_ON(!child->ptrace);
+-
+- child->ptrace = 0;
+- child->parent = child->real_parent;
+- list_del_init(&child->ptrace_entry);
+-
+- arch_ptrace_untrace(child);
+- if (task_is_traced(child))
+- ptrace_untrace(child);
+-}
+-
+-/*
+ * Check that we have indeed attached to the thing..
+ */
+ int ptrace_check_attach(struct task_struct *child, int kill)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-ensure-arch_ptrace-ptrace_request-can-never-race-with-SIGKILL.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-ensure-arch_ptrace-ptrace_request-can-never-race-with-SIGKILL.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,141 @@
+commit 9899d11f654474d2d54ea52ceaa2a1f4db3abd68
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Mon Jan 21 20:48:00 2013 +0100
+
+ ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL
+
+ putreg() assumes that the tracee is not running and pt_regs_access() can
+ safely play with its stack. However a killed tracee can return from
+ ptrace_stop() to the low-level asm code and do RESTORE_REST, this means
+ that debugger can actually read/modify the kernel stack until the tracee
+ does SAVE_REST again.
+
+ set_task_blockstep() can race with SIGKILL too and in some sense this
+ race is even worse, the very fact the tracee can be woken up breaks the
+ logic.
+
+ As Linus suggested we can clear TASK_WAKEKILL around the arch_ptrace()
+ call, this ensures that nobody can ever wakeup the tracee while the
+ debugger looks at it. Not only this fixes the mentioned problems, we
+ can do some cleanups/simplifications in arch_ptrace() paths.
+
+ Probably ptrace_unfreeze_traced() needs more callers, for example it
+ makes sense to make the tracee killable for oom-killer before
+ access_process_vm().
+
+ While at it, add the comment into may_ptrace_stop() to explain why
+ ptrace_stop() still can't rely on SIGKILL and signal_pending_state().
+
+ Reported-by: Salman Qazi <sqazi at google.com>
+ Reported-by: Suleiman Souhlal <suleiman at google.com>
+ Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index d8bfe12..4873dce 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -97,6 +97,41 @@ void __ptrace_unlink(struct task_struct *child)
+ spin_unlock(&child->sighand->siglock);
+ }
+
++/* Ensure that nothing can wake it up, even SIGKILL */
++static bool ptrace_freeze_traced(struct task_struct *task)
++{
++ bool ret = false;
++
++ /* Lockless, nobody but us can set this flag */
++ /* JOBCTL_LISTENING not implemented in 2.6.32 -dannf */
++ /* if (task->jobctl & JOBCTL_LISTENING)
++ return ret; */
++
++ spin_lock_irq(&task->sighand->siglock);
++ if (task_is_traced(task) && !__fatal_signal_pending(task)) {
++ task->state = __TASK_TRACED;
++ ret = true;
++ }
++ spin_unlock_irq(&task->sighand->siglock);
++
++ return ret;
++}
++
++static void ptrace_unfreeze_traced(struct task_struct *task)
++{
++ if (task->state != __TASK_TRACED)
++ return;
++
++ WARN_ON(!task->ptrace || task->parent != current);
++
++ spin_lock_irq(&task->sighand->siglock);
++ if (__fatal_signal_pending(task))
++ wake_up_state(task, __TASK_TRACED);
++ else
++ task->state = TASK_TRACED;
++ spin_unlock_irq(&task->sighand->siglock);
++}
++
+ /*
+ * Check that we have indeed attached to the thing..
+ */
+@@ -112,23 +147,29 @@ int ptrace_check_attach(struct task_struct *child, int kill)
+ * be changed by us so it's not changing right after this.
+ */
+ read_lock(&tasklist_lock);
+- if ((child->ptrace & PT_PTRACED) && child->parent == current) {
++ if (child->ptrace && child->parent == current) {
++ WARN_ON(child->state == __TASK_TRACED);
+ /*
+ * child->sighand can't be NULL, release_task()
+ * does ptrace_unlink() before __exit_signal().
+ */
+- spin_lock_irq(&child->sighand->siglock);
+- WARN_ON_ONCE(task_is_stopped(child));
+- if (task_is_traced(child) || kill)
++ if (kill || ptrace_freeze_traced(child))
+ ret = 0;
+- spin_unlock_irq(&child->sighand->siglock);
+ }
+ read_unlock(&tasklist_lock);
+
+- if (!ret && !kill)
+- ret = wait_task_inactive(child, TASK_TRACED) ? 0 : -ESRCH;
++ if (!ret && !kill) {
++ if (!wait_task_inactive(child, __TASK_TRACED)) {
++ /*
++ * This can only happen if may_ptrace_stop() fails and
++ * ptrace_stop() changes ->state back to TASK_RUNNING,
++ * so we should not worry about leaking __TASK_TRACED.
++ */
++ WARN_ON(child->state == __TASK_TRACED);
++ ret = -ESRCH;
++ }
++ }
+
+- /* All systems go.. */
+ return ret;
+ }
+
+@@ -681,6 +722,8 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, long, addr, long, data)
+ goto out_put_task_struct;
+
+ ret = arch_ptrace(child, request, addr, data);
++ if (ret || request != PTRACE_DETACH)
++ ptrace_unfreeze_traced(child);
+
+ out_put_task_struct:
+ put_task_struct(child);
+@@ -796,8 +839,11 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
+ }
+
+ ret = ptrace_check_attach(child, request == PTRACE_KILL);
+- if (!ret)
++ if (!ret) {
+ ret = compat_arch_ptrace(child, request, addr, data);
++ if (ret || request != PTRACE_DETACH)
++ ptrace_unfreeze_traced(child);
++ }
+
+ out_put_task_struct:
+ put_task_struct(child);
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-introduce-signal_wake_up_state-and-ptrace_signal_wake_up.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-introduce-signal_wake_up_state-and-ptrace_signal_wake_up.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,98 @@
+commit 910ffdb18a6408e14febbb6e4b6840fd2c928c82
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Mon Jan 21 20:47:41 2013 +0100
+
+ ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up()
+
+ Cleanup and preparation for the next change.
+
+ signal_wake_up(resume => true) is overused. None of ptrace/jctl callers
+ actually want to wakeup a TASK_WAKEKILL task, but they can't specify the
+ necessary mask.
+
+ Turn signal_wake_up() into signal_wake_up_state(state), reintroduce
+ signal_wake_up() as a trivial helper, and add ptrace_signal_wake_up()
+ which adds __TASK_TRACED.
+
+ This way ptrace_signal_wake_up() can work "inside" ptrace_request()
+ even if the tracee doesn't have the TASK_WAKEKILL bit set.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index 0ed8f30..fdcafcc 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -2525,7 +2525,16 @@ static inline void thread_group_cputime_free(struct signal_struct *sig)
+ extern void recalc_sigpending_and_wake(struct task_struct *t);
+ extern void recalc_sigpending(void);
+
+-extern void signal_wake_up(struct task_struct *t, int resume_stopped);
++extern void signal_wake_up_state(struct task_struct *t, unsigned int state);
++
++static inline void signal_wake_up(struct task_struct *t, bool resume)
++{
++ signal_wake_up_state(t, resume ? TASK_WAKEKILL : 0);
++}
++static inline void ptrace_signal_wake_up(struct task_struct *t, bool resume)
++{
++ signal_wake_up_state(t, resume ? __TASK_TRACED : 0);
++}
+
+ /*
+ * Wrappers for p->thread_info->cpu access. No-op on UP.
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 319dd93..daada48 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -92,7 +92,7 @@ void __ptrace_unlink(struct task_struct *child)
+ * TASK_KILLABLE sleeps.
+ */
+ if (child->group_stop & GROUP_STOP_PENDING || task_is_traced(child))
+- signal_wake_up(child, task_is_traced(child));
++ ptrace_signal_wake_up(child, true);
+
+ spin_unlock(&child->sighand->siglock);
+ }
+@@ -243,7 +243,7 @@ int ptrace_attach(struct task_struct *task)
+ */
+ if (task_is_stopped(task)) {
+ task->group_stop |= GROUP_STOP_PENDING | GROUP_STOP_TRAPPING;
+- signal_wake_up(task, 1);
++ signal_wake_up_state(task, __TASK_STOPPED);
+ }
+
+ spin_unlock(&task->sighand->siglock);
+diff --git a/kernel/signal.c b/kernel/signal.c
+index ea848c4..15da80d 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -581,23 +581,17 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
+ * No need to set need_resched since signal event passing
+ * goes through ->blocked
+ */
+-void signal_wake_up(struct task_struct *t, int resume)
++void signal_wake_up_state(struct task_struct *t, unsigned int state)
+ {
+- unsigned int mask;
+-
+ set_tsk_thread_flag(t, TIF_SIGPENDING);
+-
+ /*
+- * For SIGKILL, we want to wake it up in the stopped/traced/killable
++ * TASK_WAKEKILL also means wake it up in the stopped/traced/killable
+ * case. We don't check t->state here because there is a race with it
+ * executing another processor and just now entering stopped state.
+ * By using wake_up_state, we ensure the process will wake up and
+ * handle its death signal.
+ */
+- mask = TASK_INTERRUPTIBLE;
+- if (resume)
+- mask |= TASK_WAKEKILL;
+- if (!wake_up_state(t, mask))
++ if (!wake_up_state(t, state | TASK_INTERRUPTIBLE))
+ kick_process(t);
+ }
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-ptrace_check_attach-should-not-do-STOPPED-TRACED.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-ptrace_check_attach-should-not-do-STOPPED-TRACED.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,42 @@
+commit 321fb561971ba0f10ce18c0f8a4b9fbfc7cef4b9
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Fri Apr 1 20:13:01 2011 +0200
+
+ ptrace: ptrace_check_attach() should not do s/STOPPED/TRACED/
+
+ After "ptrace: Clean transitions between TASK_STOPPED and TRACED"
+ d79fdd6d96f46fabb779d86332e3677c6f5c2a4f, ptrace_check_attach()
+ should never see a TASK_STOPPED tracee and s/STOPPED/TRACED/ is
+ no longer legal. Add the warning.
+
+ Note: ptrace_check_attach() can be greatly simplified, in particular
+ it doesn't need tasklist. But I'd prefer another patch for that.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index daada48..d8bfe12 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -113,16 +113,14 @@ int ptrace_check_attach(struct task_struct *child, int kill)
+ */
+ read_lock(&tasklist_lock);
+ if ((child->ptrace & PT_PTRACED) && child->parent == current) {
+- ret = 0;
+ /*
+ * child->sighand can't be NULL, release_task()
+ * does ptrace_unlink() before __exit_signal().
+ */
+ spin_lock_irq(&child->sighand->siglock);
+- if (task_is_stopped(child))
+- child->state = TASK_TRACED;
+- else if (!task_is_traced(child) && !kill)
+- ret = -ESRCH;
++ WARN_ON_ONCE(task_is_stopped(child));
++ if (task_is_traced(child) || kill)
++ ret = 0;
+ spin_unlock_irq(&child->sighand->siglock);
+ }
+ read_unlock(&tasklist_lock);
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-remove-silly-wait_trap-variable-from-ptrace-attach.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ptrace-remove-silly-wait_trap-variable-from-ptrace-attach.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,45 @@
+commit 0b1007c3578569469a6fab6ae5cca918ccdc3ee1
+Author: Tejun Heo <tj at kernel.org>
+Date: Thu Jun 2 11:13:59 2011 +0200
+
+ ptrace: remove silly wait_trap variable from ptrace_attach()
+
+ Remove local variable wait_trap which determines whether to wait for
+ !TRAPPING or not and simply wait for it if attach was successful.
+
+ -v2: Oleg pointed out wait should happen iff attach was successful.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Cc: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index c17536a..319dd93 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -183,7 +183,6 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode)
+
+ int ptrace_attach(struct task_struct *task)
+ {
+- bool wait_trap = false;
+ int retval;
+
+ audit_ptrace(task);
+@@ -245,7 +244,6 @@ int ptrace_attach(struct task_struct *task)
+ if (task_is_stopped(task)) {
+ task->group_stop |= GROUP_STOP_PENDING | GROUP_STOP_TRAPPING;
+ signal_wake_up(task, 1);
+- wait_trap = true;
+ }
+
+ spin_unlock(&task->sighand->siglock);
+@@ -256,7 +254,7 @@ unlock_tasklist:
+ unlock_creds:
+ mutex_unlock(&task->cred_guard_mutex);
+ out:
+- if (wait_trap)
++ if (!retval)
+ wait_event(current->signal->wait_chldexit,
+ !(task->group_stop & GROUP_STOP_TRAPPING));
+ return retval;
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/signal-Fix-premature-completion-of-group-stop-when-interfered-by-ptrace.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/signal-Fix-premature-completion-of-group-stop-when-interfered-by-ptrace.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,212 @@
+commit e5c1902e9260a0075ea52cb5ef627a8d9aaede89
+Author: Tejun Heo <tj at kernel.org>
+Date: Wed Mar 23 10:37:00 2011 +0100
+
+ signal: Fix premature completion of group stop when interfered by ptrace
+
+ task->signal->group_stop_count is used to track the progress of group
+ stop. It's initialized to the number of tasks which need to stop for
+ group stop to finish and each stopping or trapping task decrements.
+ However, each task doesn't keep track of whether it decremented the
+ counter or not and if woken up before the group stop is complete and
+ stops again, it can decrement the counter multiple times.
+
+ Please consider the following example code.
+
+ static void *worker(void *arg)
+ {
+ while (1) ;
+ return NULL;
+ }
+
+ int main(void)
+ {
+ pthread_t thread;
+ pid_t pid;
+ int i;
+
+ pid = fork();
+ if (!pid) {
+ for (i = 0; i < 5; i++)
+ pthread_create(&thread, NULL, worker, NULL);
+ while (1) ;
+ return 0;
+ }
+
+ ptrace(PTRACE_ATTACH, pid, NULL, NULL);
+ while (1) {
+ waitid(P_PID, pid, NULL, WSTOPPED);
+ ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
+ }
+ return 0;
+ }
+
+ The child creates five threads and the parent continuously traps the
+ first thread and whenever the child gets a signal, SIGSTOP is
+ delivered. If an external process sends SIGSTOP to the child, all
+ other threads in the process should reliably stop. However, due to
+ the above bug, the first thread will often end up consuming
+ group_stop_count multiple times and SIGSTOP often ends up stopping
+ none or part of the other four threads.
+
+ This patch adds a new field task->group_stop which is protected by
+ siglock and uses GROUP_STOP_CONSUME flag to track which task is still
+ to consume group_stop_count to fix this bug.
+
+ task_clear_group_stop_pending() and task_participate_group_stop() are
+ added to help manipulating group stop states. As ptrace_stop() now
+ also uses task_participate_group_stop(), it will set
+ SIGNAL_STOP_STOPPED if it completes a group stop.
+
+ There still are many issues regarding the interaction between group
+ stop and ptrace. Patches to address them will follow.
+
+ - Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ Cc: Roland McGrath <roland at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index 7d10fbc..b70166e 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1330,6 +1330,7 @@ struct task_struct {
+ int exit_state;
+ int exit_code, exit_signal;
+ int pdeath_signal; /* The signal sent when the parent dies */
++ unsigned int group_stop; /* GROUP_STOP_*, siglock protected */
+ /* ??? */
+ unsigned int personality;
+ unsigned did_exec:1;
+@@ -1841,6 +1842,11 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *
+ #define tsk_used_math(p) ((p)->flags & PF_USED_MATH)
+ #define used_math() tsk_used_math(current)
+
++/*
++ * task->group_stop flags
++ */
++#define GROUP_STOP_CONSUME (1 << 17) /* consume group stop count */
++
+ #ifdef CONFIG_TREE_PREEMPT_RCU
+
+ #define RCU_READ_UNLOCK_BLOCKED (1 << 0) /* blocked while in RCU read-side. */
+diff --git a/kernel/signal.c b/kernel/signal.c
+index bd8a241..8b60831 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -188,6 +188,52 @@ int next_signal(struct sigpending *pending, sigset_t *mask)
+ return sig;
+ }
+
++/**
++ * task_clear_group_stop_pending - clear pending group stop
++ * @task: target task
++ *
++ * Clear group stop states for @task.
++ *
++ * CONTEXT:
++ * Must be called with @task->sighand->siglock held.
++ */
++static void task_clear_group_stop_pending(struct task_struct *task)
++{
++ task->group_stop &= ~GROUP_STOP_CONSUME;
++}
++
++/**
++ * task_participate_group_stop - participate in a group stop
++ * @task: task participating in a group stop
++ *
++ * @task is participating in a group stop. Group stop states are cleared
++ * and the group stop count is consumed if %GROUP_STOP_CONSUME was set. If
++ * the consumption completes the group stop, the appropriate %SIGNAL_*
++ * flags are set.
++ *
++ * CONTEXT:
++ * Must be called with @task->sighand->siglock held.
++ */
++static bool task_participate_group_stop(struct task_struct *task)
++{
++ struct signal_struct *sig = task->signal;
++ bool consume = task->group_stop & GROUP_STOP_CONSUME;
++
++ task_clear_group_stop_pending(task);
++
++ if (!consume)
++ return false;
++
++ if (!WARN_ON_ONCE(sig->group_stop_count == 0))
++ sig->group_stop_count--;
++
++ if (!sig->group_stop_count) {
++ sig->flags = SIGNAL_STOP_STOPPED;
++ return true;
++ }
++ return false;
++}
++
+ /*
+ * allocate a new signal queue record
+ * - this may be called without locks if and only if t == current, otherwise an
+@@ -1585,7 +1631,7 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info)
+ * we must participate in the bookkeeping.
+ */
+ if (current->signal->group_stop_count > 0)
+- --current->signal->group_stop_count;
++ task_participate_group_stop(current);
+
+ current->last_siginfo = info;
+ current->exit_code = exit_code;
+@@ -1670,6 +1716,7 @@ static int do_signal_stop(int signr)
+ int notify = 0;
+
+ if (!sig->group_stop_count) {
++ unsigned int gstop = GROUP_STOP_CONSUME;
+ struct task_struct *t;
+
+ if (!likely(sig->flags & SIGNAL_STOP_DEQUEUED) ||
+@@ -1681,6 +1728,7 @@ static int do_signal_stop(int signr)
+ */
+ sig->group_exit_code = signr;
+
++ current->group_stop = gstop;
+ sig->group_stop_count = 1;
+ for (t = next_thread(current); t != current; t = next_thread(t))
+ /*
+@@ -1690,19 +1738,19 @@ static int do_signal_stop(int signr)
+ */
+ if (!(t->flags & PF_EXITING) &&
+ !task_is_stopped_or_traced(t)) {
++ t->group_stop = gstop;
+ sig->group_stop_count++;
+ signal_wake_up(t, 0);
+- }
++ } else
++ task_clear_group_stop_pending(t);
+ }
+ /*
+ * If there are no other threads in the group, or if there is
+ * a group stop in progress and we are the last to stop, report
+ * to the parent. When ptraced, every thread reports itself.
+ */
+- if (!--sig->group_stop_count) {
+- sig->flags = SIGNAL_STOP_STOPPED;
++ if (task_participate_group_stop(current))
+ notify = CLD_STOPPED;
+- }
+ if (task_ptrace(current))
+ notify = CLD_STOPPED;
+
+@@ -1961,10 +2009,8 @@ void exit_signals(struct task_struct *tsk)
+ recalc_sigpending_and_wake(t);
+
+ if (unlikely(tsk->signal->group_stop_count) &&
+- !--tsk->signal->group_stop_count) {
+- tsk->signal->flags = SIGNAL_STOP_STOPPED;
++ task_participate_group_stop(tsk))
+ group_stop = CLD_STOPPED;
+- }
+ out:
+ spin_unlock_irq(&tsk->sighand->siglock);
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/signal-Remove-superflous-try_to_freeze-loop-in-do_signal_stop.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/signal-Remove-superflous-try_to_freeze-loop-in-do_signal_stop.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,32 @@
+commit 71db5eb99c960e9c30e4b3ed04103c513b6251b5
+Author: Tejun Heo <tj at kernel.org>
+Date: Wed Mar 23 10:37:00 2011 +0100
+
+ signal: Remove superflous try_to_freeze() loop in do_signal_stop()
+
+ do_signal_stop() is used only by get_signal_to_deliver() and after a
+ successful signal stop, it always calls try_to_freeze(), so the
+ try_to_freeze() loop around schedule() in do_signal_stop() is
+ superflous and confusing. Remove it.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Acked-by: Rafael J. Wysocki <rjw at sisk.pl>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ Acked-by: Roland McGrath <roland at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 4a238e1..adc676d 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1772,9 +1772,7 @@ static int do_signal_stop(int signr)
+ }
+
+ /* Now we don't run again until woken by SIGCONT or SIGKILL */
+- do {
+- schedule();
+- } while (try_to_freeze());
++ schedule();
+
+ tracehook_finish_jctl();
+ current->exit_code = 0;
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/signal-Use-GROUP_STOP_PENDING-to-stop-once-for-a-single-group-stop.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/signal-Use-GROUP_STOP_PENDING-to-stop-once-for-a-single-group-stop.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,208 @@
+commit 39efa3ef3a376a4e53de2f82fc91182459d34200
+Author: Tejun Heo <tj at kernel.org>
+Date: Wed Mar 23 10:37:00 2011 +0100
+
+ signal: Use GROUP_STOP_PENDING to stop once for a single group stop
+
+ Currently task->signal->group_stop_count is used to decide whether to
+ stop for group stop. However, if there is a task in the group which
+ is taking a long time to stop, other tasks which are continued by
+ ptrace would repeatedly stop for the same group stop until the group
+ stop is complete.
+
+ Conversely, if a ptraced task is in TASK_TRACED state, the debugger
+ won't get notified of group stops which is inconsistent compared to
+ the ptraced task in any other state.
+
+ This patch introduces GROUP_STOP_PENDING which tracks whether a task
+ is yet to stop for the group stop in progress. The flag is set when a
+ group stop starts and cleared when the task stops the first time for
+ the group stop, and consulted whenever whether the task should
+ participate in a group stop needs to be determined. Note that now
+ tasks in TASK_TRACED also participate in group stop.
+
+ This results in the following behavior changes.
+
+ * For a single group stop, a ptracer would see at most one stop
+ reported.
+
+ * A ptracee in TASK_TRACED now also participates in group stop and the
+ tracer would get the notification. However, as a ptraced task could
+ be in TASK_STOPPED state or any ptrace trap could consume group
+ stop, the notification may still be missing. These will be
+ addressed with further patches.
+
+ * A ptracee may start a group stop while one is still in progress if
+ the tracer let it continue with stop signal delivery. Group stop
+ code handles this correctly.
+
+ Oleg:
+
+ * Spotted that a task might skip signal check even when its
+ GROUP_STOP_PENDING is set. Fixed by updating
+ recalc_sigpending_tsk() to check GROUP_STOP_PENDING instead of
+ group_stop_count.
+
+ * Pointed out that task->group_stop should be cleared whenever
+ task->signal->group_stop_count is cleared. Fixed accordingly.
+
+ * Pointed out the behavior inconsistency between TASK_TRACED and
+ RUNNING and the last behavior change.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ Cc: Roland McGrath <roland at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/exec.c b/fs/exec.c
+index fd1efbe..59c8093 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1616,6 +1616,7 @@ static int zap_process(struct task_struct *start)
+
+ t = start;
+ do {
++ task_clear_group_stop_pending(t);
+ if (t != current && t->mm) {
+ sigaddset(&t->pending.signal, SIGKILL);
+ signal_wake_up(t, 1);
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index b70166e..7539fbe 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1845,8 +1845,11 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *
+ /*
+ * task->group_stop flags
+ */
++#define GROUP_STOP_PENDING (1 << 16) /* task should stop for group stop */
+ #define GROUP_STOP_CONSUME (1 << 17) /* consume group stop count */
+
++extern void task_clear_group_stop_pending(struct task_struct *task);
++
+ #ifdef CONFIG_TREE_PREEMPT_RCU
+
+ #define RCU_READ_UNLOCK_BLOCKED (1 << 0) /* blocked while in RCU read-side. */
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 8b60831..a04db3b 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -120,7 +120,7 @@ static inline int has_pending_signals(sigset_t *signal, sigset_t *blocked)
+
+ static int recalc_sigpending_tsk(struct task_struct *t)
+ {
+- if (t->signal->group_stop_count > 0 ||
++ if ((t->group_stop & GROUP_STOP_PENDING) ||
+ PENDING(&t->pending, &t->blocked) ||
+ PENDING(&t->signal->shared_pending, &t->blocked)) {
+ set_tsk_thread_flag(t, TIF_SIGPENDING);
+@@ -197,19 +197,19 @@ int next_signal(struct sigpending *pending, sigset_t *mask)
+ * CONTEXT:
+ * Must be called with @task->sighand->siglock held.
+ */
+-static void task_clear_group_stop_pending(struct task_struct *task)
++void task_clear_group_stop_pending(struct task_struct *task)
+ {
+- task->group_stop &= ~GROUP_STOP_CONSUME;
++ task->group_stop &= ~(GROUP_STOP_PENDING | GROUP_STOP_CONSUME);
+ }
+
+ /**
+ * task_participate_group_stop - participate in a group stop
+ * @task: task participating in a group stop
+ *
+- * @task is participating in a group stop. Group stop states are cleared
+- * and the group stop count is consumed if %GROUP_STOP_CONSUME was set. If
+- * the consumption completes the group stop, the appropriate %SIGNAL_*
+- * flags are set.
++ * @task has GROUP_STOP_PENDING set and is participating in a group stop.
++ * Group stop states are cleared and the group stop count is consumed if
++ * %GROUP_STOP_CONSUME was set. If the consumption completes the group
++ * stop, the appropriate %SIGNAL_* flags are set.
+ *
+ * CONTEXT:
+ * Must be called with @task->sighand->siglock held.
+@@ -219,6 +219,8 @@ static bool task_participate_group_stop(struct task_struct *task)
+ struct signal_struct *sig = task->signal;
+ bool consume = task->group_stop & GROUP_STOP_CONSUME;
+
++ WARN_ON_ONCE(!(task->group_stop & GROUP_STOP_PENDING));
++
+ task_clear_group_stop_pending(task);
+
+ if (!consume)
+@@ -702,6 +704,9 @@ static int prepare_signal(int sig, struct task_struct *p, int from_ancestor_ns)
+ rm_from_queue(sigmask(SIGCONT), &signal->shared_pending);
+ t = p;
+ do {
++
++ task_clear_group_stop_pending(t);
++
+ rm_from_queue(sigmask(SIGCONT), &t->pending);
+ } while_each_thread(p, t);
+ } else if (sig == SIGCONT) {
+@@ -855,6 +860,7 @@ static void complete_signal(int sig, struct task_struct *p, int group)
+ signal->group_stop_count = 0;
+ t = p;
+ do {
++ task_clear_group_stop_pending(t);
+ sigaddset(&t->pending.signal, SIGKILL);
+ signal_wake_up(t, 1);
+ } while_each_thread(p, t);
+@@ -1087,6 +1093,7 @@ void zap_other_threads(struct task_struct *p)
+ p->signal->group_stop_count = 0;
+
+ for (t = next_thread(p); t != p; t = next_thread(t)) {
++ task_clear_group_stop_pending(t);
+ /*
+ * Don't bother with already dead threads
+ */
+@@ -1630,7 +1637,7 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info)
+ * If there is a group stop in progress,
+ * we must participate in the bookkeeping.
+ */
+- if (current->signal->group_stop_count > 0)
++ if (current->group_stop & GROUP_STOP_PENDING)
+ task_participate_group_stop(current);
+
+ current->last_siginfo = info;
+@@ -1715,8 +1722,8 @@ static int do_signal_stop(int signr)
+ struct signal_struct *sig = current->signal;
+ int notify = 0;
+
+- if (!sig->group_stop_count) {
+- unsigned int gstop = GROUP_STOP_CONSUME;
++ if (!(current->group_stop & GROUP_STOP_PENDING)) {
++ unsigned int gstop = GROUP_STOP_PENDING | GROUP_STOP_CONSUME;
+ struct task_struct *t;
+
+ if (!likely(sig->flags & SIGNAL_STOP_DEQUEUED) ||
+@@ -1736,8 +1743,7 @@ static int do_signal_stop(int signr)
+ * stop is always done with the siglock held,
+ * so this check has no races.
+ */
+- if (!(t->flags & PF_EXITING) &&
+- !task_is_stopped_or_traced(t)) {
++ if (!(t->flags & PF_EXITING) && !task_is_stopped(t)) {
+ t->group_stop = gstop;
+ sig->group_stop_count++;
+ signal_wake_up(t, 0);
+@@ -1853,8 +1859,8 @@ relock:
+ for (;;) {
+ struct k_sigaction *ka;
+
+- if (unlikely(signal->group_stop_count > 0) &&
+- do_signal_stop(0))
++ if (unlikely(current->group_stop &
++ GROUP_STOP_PENDING) && do_signal_stop(0))
+ goto relock;
+
+ /*
+@@ -2008,7 +2014,7 @@ void exit_signals(struct task_struct *tsk)
+ if (!signal_pending(t) && !(t->flags & PF_EXITING))
+ recalc_sigpending_and_wake(t);
+
+- if (unlikely(tsk->signal->group_stop_count) &&
++ if (unlikely(tsk->group_stop & GROUP_STOP_PENDING) &&
+ task_participate_group_stop(tsk))
+ group_stop = CLD_STOPPED;
+ out:
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/wake_up_process-should-be-never-used-to-wakeup-a-TASK_STOPPED-TRACED-tack.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/wake_up_process-should-be-never-used-to-wakeup-a-TASK_STOPPED-TRACED-tack.patch Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,29 @@
+commit 9067ac85d533651b98c2ff903182a20cbb361fcb
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Mon Jan 21 20:48:17 2013 +0100
+
+ wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task
+
+ wake_up_process() should never wakeup a TASK_STOPPED/TRACED task.
+ Change it to use TASK_NORMAL and add the WARN_ON().
+
+ TASK_ALL has no other users, probably can be killed.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/sched.c b/kernel/sched.c
+index 82078b6..438aa9b 100644
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -2625,7 +2625,8 @@ out:
+ */
+ int wake_up_process(struct task_struct *p)
+ {
+- return try_to_wake_up(p, TASK_ALL, 0);
++ WARN_ON(task_is_stopped_or_traced(p));
++ return try_to_wake_up(p, TASK_NORMAL, 0);
+ }
+ EXPORT_SYMBOL(wake_up_process);
+
Added: dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze2
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze2 Mon Feb 18 23:26:08 2013 (r19825)
@@ -0,0 +1,14 @@
++ bugfix/all/ptrace-collapse-ptrace_untrace-into-__ptrace_unlink.patch
++ bugfix/all/ptrace-Kill-tracehook_notify_jctl.patch
++ bugfix/all/signal-Fix-premature-completion-of-group-stop-when-interfered-by-ptrace.patch
++ bugfix/all/signal-Use-GROUP_STOP_PENDING-to-stop-once-for-a-single-group-stop.patch
++ bugfix/all/ptrace-Add-why-to-ptrace_stop.patch
++ bugfix/all/signal-Remove-superflous-try_to_freeze-loop-in-do_signal_stop.patch
++ bugfix/all/ptrace-Make-do_signal_stop-use-ptrace_stop-if-the-task-is-being-ptraced.patch
++ bugfix/all/ptrace-Clean-transitions-between-TASK_STOPPED-and-TRACED.patch
++ bugfix/all/ptrace-Always-put-ptracee-into-appropriate-execution-state.patch
++ bugfix/all/ptrace-remove-silly-wait_trap-variable-from-ptrace-attach.patch
++ bugfix/all/ptrace-introduce-signal_wake_up_state-and-ptrace_signal_wake_up.patch
++ bugfix/all/ptrace-ptrace_check_attach-should-not-do-STOPPED-TRACED.patch
++ bugfix/all/ptrace-ensure-arch_ptrace-ptrace_request-can-never-race-with-SIGKILL.patch
++ bugfix/all/wake_up_process-should-be-never-used-to-wakeup-a-TASK_STOPPED-TRACED-tack.patch
More information about the Kernel-svn-changes
mailing list